<html>
<head><meta charset="utf-8"><title>RFC#2585 · edition 2021 · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/268952-edition-2021/index.html">edition 2021</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/268952-edition-2021/topic/RFC.232585.html">RFC#2585</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="221106891"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/268952-edition%202021/topic/RFC%232585/near/221106891" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Noah Lev <a href="https://rust-lang.github.io/zulip_archive/stream/268952-edition-2021/topic/RFC.232585.html#221106891">(Dec 29 2020 at 02:27)</a>:</h4>
<p>Do we want the lint from <a href="https://github.com/rust-lang/rfcs/issues/2585">RFC#2585</a> to become warn-by-default in Edition 2021? Currently it's unstable (see <a href="https://github.com/rust-lang/rust/issues/79208">#79208</a> for stabilization PR) and also allow-by-default.</p>
<p>cc <span class="user-mention" data-user-id="120791">@RalfJ</span> (who wrote the RFC) and <span class="user-mention" data-user-id="255061">@Léo Lanteri Thauvin</span> (who implemented it)</p>



<a name="221107123"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/268952-edition%202021/topic/RFC%232585/near/221107123" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Noah Lev <a href="https://rust-lang.github.io/zulip_archive/stream/268952-edition-2021/topic/RFC.232585.html#221107123">(Dec 29 2020 at 02:33)</a>:</h4>
<p>(Or even make it deny-by-default; not sure what the plan is for that lint.)</p>



<a name="221112525"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/268952-edition%202021/topic/RFC%232585/near/221112525" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Josh Triplett <a href="https://rust-lang.github.io/zulip_archive/stream/268952-edition-2021/topic/RFC.232585.html#221112525">(Dec 29 2020 at 05:12)</a>:</h4>
<p>cc <span class="user-group-mention" data-user-group-id="1977">@T-lang</span></p>



<a name="221116444"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/268952-edition%202021/topic/RFC%232585/near/221116444" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> scottmcm <a href="https://rust-lang.github.io/zulip_archive/stream/268952-edition-2021/topic/RFC.232585.html#221116444">(Dec 29 2020 at 07:08)</a>:</h4>
<p>Personally I remain unconvinced that it ever ought to be a <em>hard</em> error, but would have no objection to changing its default severity as a lint.</p>



<a name="221138233"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/268952-edition%202021/topic/RFC%232585/near/221138233" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/268952-edition-2021/topic/RFC.232585.html#221138233">(Dec 29 2020 at 14:35)</a>:</h4>
<p>I guess that's a matter of what the end goal is that we want to reach here eventually (in terms of default severity) -- not sure if T-lang has consensus on that</p>



<a name="221145331"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/268952-edition%202021/topic/RFC%232585/near/221145331" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> cuviper <a href="https://rust-lang.github.io/zulip_archive/stream/268952-edition-2021/topic/RFC.232585.html#221145331">(Dec 29 2020 at 16:18)</a>:</h4>
<p>I didn't follow the RFC discussion, but a suppressable lint seems so non-committal here, making it just a style issue instead of <em>actually</em> saying that <code>unsafe fn</code> is not an <code>unsafe</code> block. We have to do that for compatibility, but if we're not going to make it a hard-error language change in the next edition, then the whole idea is weakened.</p>



<a name="221151700"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/268952-edition%202021/topic/RFC%232585/near/221151700" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> rylev <a href="https://rust-lang.github.io/zulip_archive/stream/268952-edition-2021/topic/RFC.232585.html#221151700">(Dec 29 2020 at 17:39)</a>:</h4>
<p>As a stakeholder from a company where Rust's safety is the number one reason for adoption, the more we can push for de-coupling of unsafe functions and unsafe blocks, the better. I'd love to see this get close to deny-by-default as possible.</p>



<a name="221158259"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/268952-edition%202021/topic/RFC%232585/near/221158259" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Josh Triplett <a href="https://rust-lang.github.io/zulip_archive/stream/268952-edition-2021/topic/RFC.232585.html#221158259">(Dec 29 2020 at 19:05)</a>:</h4>
<p><span class="user-mention" data-user-id="138448">@cuviper</span> This is going to be a massive amount of churn. If we go this route, we still need to turn the lint up to warn in an edition, and then in a future edition we might be able to make the change.</p>



<a name="221158343"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/268952-edition%202021/topic/RFC%232585/near/221158343" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Josh Triplett <a href="https://rust-lang.github.io/zulip_archive/stream/268952-edition-2021/topic/RFC.232585.html#221158343">(Dec 29 2020 at 19:06)</a>:</h4>
<p>Also, there isn't currently consensus among the lang team that we should do this at all. Most of us do think we should, but there are reasonable objections as well.</p>



<a name="221158485"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/268952-edition%202021/topic/RFC%232585/near/221158485" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> simulacrum <a href="https://rust-lang.github.io/zulip_archive/stream/268952-edition-2021/topic/RFC.232585.html#221158485">(Dec 29 2020 at 19:08)</a>:</h4>
<p>FWIW as one of the proponents of this idea originally I am increasingly uncertain it's quite the right thing - I might want to be even more strict - and I think we'd want to do no more than one migration here if at all possible. I do not think we should aim for anything in 2021; it seems unlikely that we will have consensus in the next year, speaking personally (not a lang team member of course).</p>



<a name="221192500"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/268952-edition%202021/topic/RFC%232585/near/221192500" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Lokathor <a href="https://rust-lang.github.io/zulip_archive/stream/268952-edition-2021/topic/RFC.232585.html#221192500">(Dec 30 2020 at 06:02)</a>:</h4>
<p>I think that it's only marginally the right move to make at all. The automated "fix" is to just change <code>unsafe fn foo() {</code> into <code>unsafe fn foo(){ unsafe {</code> and from there you can't necessarily reduce the span of that unsafe block at all, so you've just added verbosity for no gain.</p>
<p>Keeping it as deny-by-default and then allowing people who know they're doing a large amount of unsafe in a particular crate to override that in the crate is best.</p>
<p>A hard error would just plain be bad.</p>



<a name="221210263"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/268952-edition%202021/topic/RFC%232585/near/221210263" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> simulacrum <a href="https://rust-lang.github.io/zulip_archive/stream/268952-edition-2021/topic/RFC.232585.html#221210263">(Dec 30 2020 at 12:53)</a>:</h4>
<p>The automated fix, IMO, should wrap each unsafe expression as tightly as possible - what you suggest is just the easiest fix.</p>



<a name="221212184"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/268952-edition%202021/topic/RFC%232585/near/221212184" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/268952-edition-2021/topic/RFC.232585.html#221212184">(Dec 30 2020 at 13:27)</a>:</h4>
<blockquote>
<p>Keeping it as deny-by-default and then allowing people who know they're doing a large amount of unsafe in a particular crate to override that in the crate is best.</p>
</blockquote>
<p>"keeping"? it's allow-by-default currently</p>



<a name="221253396"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/268952-edition%202021/topic/RFC%232585/near/221253396" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> scottmcm <a href="https://rust-lang.github.io/zulip_archive/stream/268952-edition-2021/topic/RFC.232585.html#221253396">(Dec 30 2020 at 22:53)</a>:</h4>
<p><span class="user-mention silent" data-user-id="224872">Ryan Levick</span> <a href="#narrow/stream/268952-edition/topic/RFC.232585/near/221151700">said</a>:</p>
<blockquote>
<p>As a stakeholder from a company where Rust's safety is the number one reason for adoption, the more we can push for de-coupling of unsafe functions and unsafe blocks, the better. I'd love to see this get close to deny-by-default as possible.</p>
</blockquote>
<p>I'm not personally convinced that this makes a huge difference to that, though.  The correctness of the overall code still depends on all the code in the module outside of the unsafe blocks too.  That's why I'm ok with this as a lint -- so people can use it to help convince themselves things are correct -- but am not certain that it'd ever be worth making a strict <em>requirement</em> on <em>all</em> code.  (As I said earlier, I'm fine with it being opt-out, if that's helpful.  I just think it should remain <em>possible</em> to opt-out.)</p>
<p>For example, I could imagine us making a parameterized effect-like system for <code>unsafe</code> eventually, to have compiler assistance that you've met all of the preconditions for an unsafe call.  At which point the more-focused blocks would lose much of their value.</p>



<a name="221254452"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/268952-edition%202021/topic/RFC%232585/near/221254452" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> simulacrum <a href="https://rust-lang.github.io/zulip_archive/stream/268952-edition-2021/topic/RFC.232585.html#221254452">(Dec 30 2020 at 23:10)</a>:</h4>
<p>Well, you presumably still want something like them to scope those effects. But I'm increasingly thinking that without an effects system of some kind, it's just really hard to maintain unsafe code today - it becomes almost write once.</p>



<a name="221285569"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/268952-edition%202021/topic/RFC%232585/near/221285569" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/268952-edition-2021/topic/RFC.232585.html#221285569">(Dec 31 2020 at 11:55)</a>:</h4>
<blockquote>
<p>I could imagine us making a parameterized effect-like system for unsafe eventually</p>
</blockquote>
<p>FWIW, I don't think <code>unsafe</code> can usefully be modeled as an effect. This is an old discussion though.<br>
Effects (and, more importantly, their absence) are about restricting the observable behavior of a function. <code>unsafe</code> is not observable. <code>unsafe</code> is about proof obligations. I think this has nothing to do with effects except for some superficial syntactical similarities.</p>



<a name="221285645"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/268952-edition%202021/topic/RFC%232585/near/221285645" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/268952-edition-2021/topic/RFC.232585.html#221285645">(Dec 31 2020 at 11:56)</a>:</h4>
<blockquote>
<p>I'm not personally convinced that this makes a huge difference to that, though. The correctness of the overall code still depends on all the code in the module outside of the unsafe blocks too. That's why I'm ok with this as a lint -- so people can use it to help convince themselves things are correct -- but am not certain that it'd ever be worth making a strict requirement on all code.</p>
</blockquote>
<p>one key argument in the RFC that proposed this lint was also that the current state makes it harder to understand the dual nature of <code>unsafe</code>: the <code>unsafe</code> keyword has two meanings (<em>defining</em> proof obligations vs <em>discharging</em> them); the fact that <code>unsafe fn</code> does both makes that harder to understand, which leads to confusion for many people.</p>



<a name="221286394"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/268952-edition%202021/topic/RFC%232585/near/221286394" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> lqd <a href="https://rust-lang.github.io/zulip_archive/stream/268952-edition-2021/topic/RFC.232585.html#221286394">(Dec 31 2020 at 12:14)</a>:</h4>
<p>would you prefer the similar in goals, but different technique of <em>capability</em> instead of effect then ?</p>



<a name="221288087"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/268952-edition%202021/topic/RFC%232585/near/221288087" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/268952-edition-2021/topic/RFC.232585.html#221288087">(Dec 31 2020 at 12:51)</a>:</h4>
<p>I guess I don't have a clear enough idea of what you mean by "capability" here. I know that term from "capability machines" a la CHERI but that sounds unrelated, so I assume you mean something else. Maybe related to "object capabilities"? But I don't see how that could model <code>unsafe</code>, either...</p>



<a name="221288138"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/268952-edition%202021/topic/RFC%232585/near/221288138" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/268952-edition-2021/topic/RFC.232585.html#221288138">(Dec 31 2020 at 12:52)</a>:</h4>
<p><span class="user-mention" data-user-id="116122">@simulacrum</span> I guess I am wondering which problem with <code>unsafe</code> you think could be solved with an effect system. Is it "just" a more explicit account of the proof obligations that are involved?</p>



<a name="221288266"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/268952-edition%202021/topic/RFC%232585/near/221288266" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> simulacrum <a href="https://rust-lang.github.io/zulip_archive/stream/268952-edition-2021/topic/RFC.232585.html#221288266">(Dec 31 2020 at 12:54)</a>:</h4>
<p>Yeah, basically. Effect might be the wrong word - I could imagine some kind of text based list of preconditions on functions which callers must either annotate as given or "pass up" to their own caller by name.</p>



<a name="221288277"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/268952-edition%202021/topic/RFC%232585/near/221288277" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/268952-edition-2021/topic/RFC.232585.html#221288277">(Dec 31 2020 at 12:54)</a>:</h4>
<p>yeah, some form of crude "program logic" is the way I'd think about this</p>



<a name="221288295"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/268952-edition%202021/topic/RFC%232585/near/221288295" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> simulacrum <a href="https://rust-lang.github.io/zulip_archive/stream/268952-edition-2021/topic/RFC.232585.html#221288295">(Dec 31 2020 at 12:55)</a>:</h4>
<p>I think it's basically a formalization of what safety comments are intended to do (but nearly always fail to do)</p>



<a name="221288304"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/268952-edition%202021/topic/RFC%232585/near/221288304" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/268952-edition-2021/topic/RFC.232585.html#221288304">(Dec 31 2020 at 12:55)</a>:</h4>
<p>after all a (sophisticated) program logic is what one can use to <a href="https://people.mpi-sws.org/~jung/thesis.html">prove for real that some unsafe code is doing the right thing</a></p>



<a name="221288323"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/268952-edition%202021/topic/RFC%232585/near/221288323" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/268952-edition-2021/topic/RFC.232585.html#221288323">(Dec 31 2020 at 12:55)</a>:</h4>
<p><span class="user-mention silent" data-user-id="116122">simulacrum</span> <a href="#narrow/stream/268952-edition/topic/RFC.232585/near/221288295">said</a>:</p>
<blockquote>
<p>I think it's basically a formalization of what safety comments are intended to do (but nearly always fail to do)</p>
</blockquote>
<p>well, I wouldn't call it a formalization since it's just giving names to preconditions, it doesn't formalize their <em>meaning</em></p>



<a name="221288368"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/268952-edition%202021/topic/RFC%232585/near/221288368" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/268952-edition-2021/topic/RFC.232585.html#221288368">(Dec 31 2020 at 12:56)</a>:</h4>
<p>but it is making these safety comments more systematic</p>



<a name="221288386"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/268952-edition%202021/topic/RFC%232585/near/221288386" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> simulacrum <a href="https://rust-lang.github.io/zulip_archive/stream/268952-edition-2021/topic/RFC.232585.html#221288386">(Dec 31 2020 at 12:56)</a>:</h4>
<p>Well, I could see the next step being adding some "well known" ones</p>



<a name="221288422"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/268952-edition%202021/topic/RFC%232585/near/221288422" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> simulacrum <a href="https://rust-lang.github.io/zulip_archive/stream/268952-edition-2021/topic/RFC.232585.html#221288422">(Dec 31 2020 at 12:57)</a>:</h4>
<p>E.g. making ptr::read on a &amp;T which is T: Copy safe because a reference implicitly satisfies preconditions</p>



<a name="221288435"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/268952-edition%202021/topic/RFC%232585/near/221288435" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> simulacrum <a href="https://rust-lang.github.io/zulip_archive/stream/268952-edition-2021/topic/RFC.232585.html#221288435">(Dec 31 2020 at 12:57)</a>:</h4>
<p>But that's obviously a "next" step</p>



<a name="221288527"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/268952-edition%202021/topic/RFC%232585/near/221288527" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/268952-edition-2021/topic/RFC.232585.html#221288527">(Dec 31 2020 at 12:58)</a>:</h4>
<p>yeah makes sense. we can start with a "logic" where everything is "opaque" ("function symbols" in the speak of first-order logic), and then introduce some identifiers that actually have a given meaning</p>



<a name="221288554"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/268952-edition%202021/topic/RFC%232585/near/221288554" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/268952-edition-2021/topic/RFC.232585.html#221288554">(Dec 31 2020 at 12:59)</a>:</h4>
<p>I do think that if we do this we should use a resourceful logic, i.e. separation logic, instead of "regular" first-order logic... but that would be a topic for a design meeting I think</p>



<a name="221288569"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/268952-edition%202021/topic/RFC%232585/near/221288569" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/268952-edition-2021/topic/RFC.232585.html#221288569">(Dec 31 2020 at 12:59)</a>:</h4>
<p>IOW, the logic should have a notion of "ownership"</p>



<a name="221288579"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/268952-edition%202021/topic/RFC%232585/near/221288579" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/268952-edition-2021/topic/RFC.232585.html#221288579">(Dec 31 2020 at 12:59)</a>:</h4>
<p>this is fundamental in proper proofs of soundness of Rust code</p>



<a name="221288582"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/268952-edition%202021/topic/RFC%232585/near/221288582" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> simulacrum <a href="https://rust-lang.github.io/zulip_archive/stream/268952-edition-2021/topic/RFC.232585.html#221288582">(Dec 31 2020 at 12:59)</a>:</h4>
<p>Yeah, design meeting feels right</p>



<a name="221288768"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/268952-edition%202021/topic/RFC%232585/near/221288768" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/268952-edition-2021/topic/RFC.232585.html#221288768">(Dec 31 2020 at 13:02)</a>:</h4>
<p>I'd be happy to be involved in such a design :)</p>



<a name="221288796"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/268952-edition%202021/topic/RFC%232585/near/221288796" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> simulacrum <a href="https://rust-lang.github.io/zulip_archive/stream/268952-edition-2021/topic/RFC.232585.html#221288796">(Dec 31 2020 at 13:02)</a>:</h4>
<p>I think getting the ergonomics right would be really hard - but not infeasible. My worry is that if we want to add this, doing so is going to imply a pretty major manual(!) shift in a lot of unsafe code, and in some sense we probably want to do it after UCG makes more progress, so that the proof obligations are better understood.</p>



<a name="221288838"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/268952-edition%202021/topic/RFC%232585/near/221288838" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> simulacrum <a href="https://rust-lang.github.io/zulip_archive/stream/268952-edition-2021/topic/RFC.232585.html#221288838">(Dec 31 2020 at 13:03)</a>:</h4>
<p>That said the design of the feature could proceed in parallel to that (just not stabilize, most likely).</p>



<a name="221289020"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/268952-edition%202021/topic/RFC%232585/near/221289020" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> simulacrum <a href="https://rust-lang.github.io/zulip_archive/stream/268952-edition-2021/topic/RFC.232585.html#221289020">(Dec 31 2020 at 13:07)</a>:</h4>
<p>I think one thing that I would want to see if we opt to include this in the edition is a formal style/lang guideline on where to place unsafe blocks - as tightly bound to the unsafe action, or wrapping the whole function. If it's the latter then (presumably) this tracking system would require us to later move them to tighter binding.</p>



<a name="221305972"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/268952-edition%202021/topic/RFC%232585/near/221305972" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Lokathor <a href="https://rust-lang.github.io/zulip_archive/stream/268952-edition-2021/topic/RFC.232585.html#221305972">(Dec 31 2020 at 17:55)</a>:</h4>
<p><span class="user-mention" data-user-id="120791">@RalfJ</span> keeping -&gt; "restricting the end goal of this change of the language"</p>



<a name="221306159"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/268952-edition%202021/topic/RFC%232585/near/221306159" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Lokathor <a href="https://rust-lang.github.io/zulip_archive/stream/268952-edition-2021/topic/RFC.232585.html#221306159">(Dec 31 2020 at 17:59)</a>:</h4>
<p><span class="user-mention" data-user-id="116122">@simulacrum</span> scott sorta hinted at it, but because lines next to an unsafe function can affect the legality of what's going on, auto-fix to have minimal sized blocks is probably incorrect sometimes, while auto-fix to maximum sized blocks is never incorrect (though it's often too wide a net).</p>



<a name="221306286"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/268952-edition%202021/topic/RFC%232585/near/221306286" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Lokathor <a href="https://rust-lang.github.io/zulip_archive/stream/268952-edition-2021/topic/RFC.232585.html#221306286">(Dec 31 2020 at 18:00)</a>:</h4>
<p>And in many cases, the unsafety actually is spread across an entire module, in a way that the compiler doesn't ever see and won't warn you about, and in a way that other tooling to "count lines of unsafe" (or whatever) will likely also never quite be smart enough to understand.</p>



<a name="221306341"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/268952-edition%202021/topic/RFC%232585/near/221306341" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> simulacrum <a href="https://rust-lang.github.io/zulip_archive/stream/268952-edition-2021/topic/RFC.232585.html#221306341">(Dec 31 2020 at 18:01)</a>:</h4>
<p>It's not incorrect to scope to just the unsafe action; the unsafe blocks intent by my reading isn't to limit what needs to be audited, it's to know where the audit "starts" or terminates, where you need unsafety comments</p>



<a name="221306410"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/268952-edition%202021/topic/RFC%232585/near/221306410" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> simulacrum <a href="https://rust-lang.github.io/zulip_archive/stream/268952-edition-2021/topic/RFC.232585.html#221306410">(Dec 31 2020 at 18:03)</a>:</h4>
<p>Minimal scoping provides this quite a bit more than a function level scope</p>



<a name="221334024"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/268952-edition%202021/topic/RFC%232585/near/221334024" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> scottmcm <a href="https://rust-lang.github.io/zulip_archive/stream/268952-edition-2021/topic/RFC.232585.html#221334024">(Jan 01 2021 at 04:07)</a>:</h4>
<p><span class="user-mention silent" data-user-id="116122">simulacrum</span> <a href="#narrow/stream/268952-edition/topic/RFC.232585/near/221288295">said</a>:</p>
<blockquote>
<p>I think it's basically a formalization of what safety comments are intended to do (but nearly always fail to do)</p>
</blockquote>
<p>Yeah, that's a better phrasing of what I meant.</p>



<a name="221354030"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/268952-edition%202021/topic/RFC%232585/near/221354030" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/268952-edition-2021/topic/RFC.232585.html#221354030">(Jan 01 2021 at 14:32)</a>:</h4>
<p><span class="user-mention silent" data-user-id="224471">Lokathor</span> <a href="#narrow/stream/268952-edition/topic/RFC.232585/near/221306159">said</a>:</p>
<blockquote>
<p><span class="user-mention silent" data-user-id="116122">simulacrum</span> scott sorta hinted at it, but because lines next to an unsafe function can affect the legality of what's going on, auto-fix to have minimal sized blocks is probably incorrect sometimes, while auto-fix to maximum sized blocks is never incorrect (though it's often too wide a net).</p>
</blockquote>
<p>there's nothing "incorrect" about this IMO. e.g. <code>Vec::set_len</code> doesn't have an <code>unsafe</code> block in it, and I don't think that's incorrect.</p>



<a name="221359087"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/268952-edition%202021/topic/RFC%232585/near/221359087" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Lokathor <a href="https://rust-lang.github.io/zulip_archive/stream/268952-edition-2021/topic/RFC.232585.html#221359087">(Jan 01 2021 at 16:53)</a>:</h4>
<p>That's correct for current rust, but current rust is insufficient to properly express a lot of situations, and this is one of them.</p>
<p>Relying exclusively on privacy because we don't have a way to declare unsafe fields leads to a lot of needless trouble.</p>



<a name="221359617"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/268952-edition%202021/topic/RFC%232585/near/221359617" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/268952-edition-2021/topic/RFC.232585.html#221359617">(Jan 01 2021 at 17:08)</a>:</h4>
<p>while unsafe fields would be nice, I think relying on privacy makes a lot of sense</p>



<a name="221359671"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/268952-edition%202021/topic/RFC%232585/near/221359671" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/268952-edition-2021/topic/RFC.232585.html#221359671">(Jan 01 2021 at 17:08)</a>:</h4>
<p>privacy is one of <em>the</em> established abstraction mechanisms (some other ones being ML-style modules, and whatever Haskell is doing). and abstraction is the key to being able to hide unsafety behind a safe-to-use API.</p>



<a name="221365536"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/268952-edition%202021/topic/RFC%232585/near/221365536" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Lokathor <a href="https://rust-lang.github.io/zulip_archive/stream/268952-edition-2021/topic/RFC.232585.html#221365536">(Jan 01 2021 at 19:40)</a>:</h4>
<p>Relying exclusively on privacy only makes sense in a "this is the best we got" context.</p>



<a name="221365595"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/268952-edition%202021/topic/RFC%232585/near/221365595" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/268952-edition-2021/topic/RFC.232585.html#221365595">(Jan 01 2021 at 19:42)</a>:</h4>
<p><span class="user-mention silent" data-user-id="224471">Lokathor</span> <a href="#narrow/stream/268952-edition/topic/RFC.232585/near/221365536">said</a>:</p>
<blockquote>
<p>Relying exclusively on privacy only makes sense in a "this is the best we got" context.</p>
</blockquote>
<p>quite the contrary, privacy/modularity is <em>the key mechanism</em> to achieve separate reasoning and abstraction, like it is needed for safe APIs around unsafe code</p>



<a name="221365604"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/268952-edition%202021/topic/RFC%232585/near/221365604" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/268952-edition-2021/topic/RFC.232585.html#221365604">(Jan 01 2021 at 19:42)</a>:</h4>
<p>IMO everything else is a hack</p>



<a name="221365742"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/268952-edition%202021/topic/RFC%232585/near/221365742" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Lokathor <a href="https://rust-lang.github.io/zulip_archive/stream/268952-edition-2021/topic/RFC.232585.html#221365742">(Jan 01 2021 at 19:46)</a>:</h4>
<p>It's absolutely not needed for safe abstraction over unsafe operations <strong>if</strong> you're able to have unsafe fields (that can be marked as unsafe to read, write, or read-write). With an unsafe-field mechanism available, then data privacy would allow for being SemVer friendly and modular, but wouldn't be needed for safety.</p>



<a name="221398568"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/268952-edition%202021/topic/RFC%232585/near/221398568" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/268952-edition-2021/topic/RFC.232585.html#221398568">(Jan 02 2021 at 12:45)</a>:</h4>
<p>that's what I meant by "awful hack"</p>



<a name="221398580"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/268952-edition%202021/topic/RFC%232585/near/221398580" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/268952-edition-2021/topic/RFC.232585.html#221398580">(Jan 02 2021 at 12:45)</a>:</h4>
<p>IOW, I think unsafe fields must always be private</p>



<a name="221398582"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/268952-edition%202021/topic/RFC%232585/near/221398582" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/268952-edition-2021/topic/RFC.232585.html#221398582">(Jan 02 2021 at 12:46)</a>:</h4>
<p>a public unsafe field is nonsense, if you ask me. either your field has extra invariants attached to it (-&gt; make it private and unsafe) or it doesn't</p>



<a name="221398639"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/268952-edition%202021/topic/RFC%232585/near/221398639" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> bjorn3 <a href="https://rust-lang.github.io/zulip_archive/stream/268952-edition-2021/topic/RFC.232585.html#221398639">(Jan 02 2021 at 12:47)</a>:</h4>
<p>A public unsafe field is equivalent to an <code>pub fn foo();</code>, <code>pub unsafe fn set_foo(...);</code> function pair, except that is plays nicer with the borrow checker.</p>



<a name="221398686"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/268952-edition%202021/topic/RFC%232585/near/221398686" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/268952-edition-2021/topic/RFC.232585.html#221398686">(Jan 02 2021 at 12:48)</a>:</h4>
<p>and except that the function makes it much easier to properly document and talk about what the caller and callee obligations are</p>



<a name="221398693"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/268952-edition%202021/topic/RFC%232585/near/221398693" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/268952-edition-2021/topic/RFC.232585.html#221398693">(Jan 02 2021 at 12:48)</a>:</h4>
<p>also it's not entirely equivalent since you can take references, which is more powerful than a setter, isn't it?</p>



<a name="221406751"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/268952-edition%202021/topic/RFC%232585/near/221406751" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Lokathor <a href="https://rust-lang.github.io/zulip_archive/stream/268952-edition-2021/topic/RFC.232585.html#221406751">(Jan 02 2021 at 16:41)</a>:</h4>
<p>you'd just document the field's invariants on the field's docs instead of a setter function's docs. There's no significant difference between those two.</p>



<a name="221407650"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/268952-edition%202021/topic/RFC%232585/near/221407650" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/268952-edition-2021/topic/RFC.232585.html#221407650">(Jan 02 2021 at 17:04)</a>:</h4>
<p>that still feels much less clean... though I will admit I have a hard time putting into words why using visibility feels "more right" to me than <code>pub</code> unsafe fields...</p>



<a name="221407684"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/268952-edition%202021/topic/RFC%232585/near/221407684" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Nelson <a href="https://rust-lang.github.io/zulip_archive/stream/268952-edition-2021/topic/RFC.232585.html#221407684">(Jan 02 2021 at 17:05)</a>:</h4>
<p><span class="user-mention" data-user-id="120791">@RalfJ</span> what difference do you see between <code>pub unsafe fn set_len</code> and <code>pub unsafe len: usize</code>?</p>



<a name="221408083"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/268952-edition%202021/topic/RFC%232585/near/221408083" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/268952-edition-2021/topic/RFC.232585.html#221408083">(Jan 02 2021 at 17:15)</a>:</h4>
<p>when doing soundness proofs, I tend to ignore unsafe functions. They are, by definition, not sound <em>in general</em>, and their "safety" comment is informal, so it is much less clear what one would want or hope to prove about them.</p>



<a name="221408137"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/268952-edition%202021/topic/RFC%232585/near/221408137" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/268952-edition-2021/topic/RFC.232585.html#221408137">(Jan 02 2021 at 17:16)</a>:</h4>
<p>I suppose I could just pretend that all <code>unsafe</code> fields are private for the purpose of the proof, but... that feels wrong. Maybe I am just not used to it.</p>



<a name="221412674"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/268952-edition%202021/topic/RFC%232585/near/221412674" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Lokathor <a href="https://rust-lang.github.io/zulip_archive/stream/268952-edition-2021/topic/RFC.232585.html#221412674">(Jan 02 2021 at 19:06)</a>:</h4>
<p>I agree with you: I think you're just not used to it</p>



<a name="221412724"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/268952-edition%202021/topic/RFC%232585/near/221412724" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Nelson <a href="https://rust-lang.github.io/zulip_archive/stream/268952-edition-2021/topic/RFC.232585.html#221412724">(Jan 02 2021 at 19:07)</a>:</h4>
<p>It sounds like you're missing tools for describing unsafe fields formally</p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>